Announcement

Collapse
No announcement yet.

Diagnosing NAT problems with Cisco 851

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Diagnosing NAT problems with Cisco 851

    Hello all, this is my first post so feel free to correct me if I am posting incorrectly. Also, thanks in advance for anyone who takes the time to read this.

    I recently purchased a Cisco 851 for my home, and used the SDM to configure it. The first time I chose defaults (basic firewall, basic NAT, DHCP internally, connect to my ISP using DHCP as well). I didn't manually override anything. I found the tool helpful and easy to use. My hope was to then examine my run config and reverse engineer what it had done as a jumpstart into learning IOS.

    After the initial install everything was fine, except that I could not connect to my friends Microsoft VPN (PPTP with MSCHAP) whereas when I connect directly to cable modem, I am able to. I suspected firewall rules at play.

    My other problem (and persistent problem) is that I cannot get my Tivo to connect to the host service going through the router. Connecting directly to the modem, everything works fine.

    To rule out firewall, I reset to factory defaults, reran SDM and chose to skip enabling the firewall, and unchecked the SDM options that pertained to security. After doing this, my MSCHAP PPTP connection works fine, but my Tivo still cannot connect. Tivo reports that it uses services on ports: UDP 37, 123; TCP 37,80,443,5005,5222,5223,7287,7288,8000,8080-8089.

    Obviously, I am not looking to a solution to my problem with this little of info that I have provided. Instead, I am looking for advice on how to troubleshoot this. Is there a way that I can log the activities while the Tivo is sending outbound traffic to determine whats happening? or is there a better "diagnostic approach" I should take? Of course any resources or links anyone has that will give me a better understanding of Cisco routing / config concepts would be great. I assume its NAT/PAT problem, even though I don't seem to see how it could be since everything else appears to work correctly. As far as I know Tivo is just making standard requests outside the wall (presumably HTTP requests).

    Here is my current config if this sheds any light. Again thanks so much for reading and even giving this half a second of thought. I realize that its vague and naive, but Im feeling a bit at a loss.

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname steverouter
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 ...
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime -6
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.102.1 192.168.102.99
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.102.0 255.255.255.0
    dns-server 68.87.68.162 68.87.74.162
    default-router 192.168.102.1
    !
    !
    ip cef
    ip tcp synwait-time 10
    ip domain name steve.dnsdojo.com
    ip name-server 68.87.68.162
    ip name-server 68.87.74.162
    !
    !
    crypto pki trustpoint TP-self-signed-2778007988
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2778007988
    revocation-check none
    rsakeypair TP-self-signed-2778007988
    !
    !
    crypto pki certificate chain TP-self-signed-2778007988
    certificate self-signed 01
    <took out the certificate info>
    username steve privilege 15 secret 5
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet4
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.102.1 255.255.255.0
    ip mtu 1492
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip classless
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet4 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.102.0 0.0.0.255
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

  • #2
    Re: Diagnosing NAT problems with Cisco 851

    Ok- I think I found (to me) an interesting result. I am almost certain this is NAT/PAT problem now, but I guess I do not understand the intricacies of NAT/PAT to figure this one out.

    I actually own two tivos and have nine other computers on my home network. If the Tivo is the only thing connected to the router then it connects fine, but as soon as I plug the rest of the switch in everything fails. I will try to narrow this down to one computer device (and it doesn't appear to be the other computer), but does this make any sense? My linksys was able to handle my current configuration without any problems, and thus Im sure I just don't have something configured correctly.

    Any insight or help to tell me what debug commands would give me some insight will be extremely helpful. Thanks in advance.

    Steve

    Comment


    • #3
      Re: Diagnosing NAT problems with Cisco 851

      Originally posted by SteveDT123 View Post
      Hello all, this is my first post so feel free to correct me if I am posting incorrectly. AlsIs there a way that I can log the activities while the Tivo is sending outbound traffic to determine whats happening? or is there a better "diagnostic approach" I should take?

      You might want to look into a packet capture program Ethereal is one I find handy, there is also Wireshark (same thing? :P).
      It might be worth setting up a capture when everything works so you know what to look at/for. I don't believe it will be possible to see "outside the router".

      From your second post I'd look at how the switch is configured, do you have the same problem if you plug the TiVo into another port on it? What happens if just the TiVo is on the switch?


      Btw you will have to use a hub to see traffic for your capture.
      I don't know anything about (you or your) computers.
      Research/test for yourself when listening to free advice.

      Comment


      • #4
        Re: Diagnosing NAT problems with Cisco 851

        Thanks for the reply, Maebe, I have heard of ethereal, but have never used it. I think I narrowed it down to a particular box. I have no idea what on this box is conflicting but certainly an analyzer like ethereal would help, nor why I haven't seen this problem with my old router.

        I will go dust off an old hub from the attack and setup ethereal. Thanks again for taking the time to give your opinion!


        Steve

        Comment


        • #5
          Re: Diagnosing NAT problems with Cisco 851

          Did you try
          show ip nat statistics
          show ip nat translations
          and
          debug ip nat
          ?
          Regards,
          Csaba Papp
          MCSA+messaging, MCSE, CCNA
          ...............................
          Remember to give credit where credit is due and leave reputation points where appropriate
          .................................

          Comment


          • #6
            Re: Diagnosing NAT problems with Cisco 851

            Hi,
            Not to be smart but have the TiVo and this one box have the same IP addresses?

            I'm not up on TiVo but I did find a list of ports it uses on their website with some you haven't listed. I don't know if this due to a model difference or updates or what but it might be worth a look. These ports seem to need to be open between the TiVo and your PC though.

            Are you trying to connect to your router from the outside and view your TiVo that way or is this all on the LAN?
            I don't know anything about (you or your) computers.
            Research/test for yourself when listening to free advice.

            Comment


            • #7
              Re: Diagnosing NAT problems with Cisco 851

              Ethereal and Wireshark are pretty much the same thing. The person who created Ethereal left the company he worked at when he created it and was forced to leave the "intellectual property" behind so he created Wireshark.

              Comment

              Working...
              X